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Abstract 

Recently, an image encryption scheme based on a compound chaotic sequence was 
proposed. In this paper, the security of the scheme is studied and the foUowing 
problems are found: (1) a differential chosen-plaintext attack can break the scheme 
with only three chosen plain-images; (2) there is a number of weak keys and some 
equivalent keys for encryption; (3) the scheme is not sensitive to the changes of 
plain-images; and (4) the compound chaotic sequence does not work as a good 
random number resource. 
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1 Introduction 



Security of multimedia data is receiving more and more attention due to the 
widespread transmission over various communication networks. It has been 
noticed that the traditional text encryption schemes fail to safely protect mul- 
timedia data due to some special properties of these data and some specific 
requirements of multimedia processing systems, such as bulky size and strong 
redundancy of uncompressed data. Therefore, designing good image encryp- 
tion schemes has become a focal research topic since the early 1990s. Inspired 
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by the subtle similarity between chaos and cryptography, a large number of 
chaos-based image encryption schemes have been proposed [1-6]. Unfortu- 
nately, many of these schemes have been found insecure, especially against 
known and/or chosen-plaintext attacks [7-10]. For a recent survey of state-of- 
the-art image encryption schemes, the reader is referred to [11]. Some general 
rules about evaluating the security of chaos-based cryptosystems can be found 
in [12]. 

Recently, an image encryption scheme based on a compound chaotic sequence 
was proposed in [13]. This scheme includes two procedures: substitutions of 
pixel values with XOR operations, and circular shift position permutations 
of rows and columns. The XOR substitutions are controlled by a compound 
pseudo-random number sequence generated from two correlated chaotic maps. 
And the row and column circular shift permutations are determined by the 
two chaotic maps, respectively. This paper studies the security of the image 
encryption scheme and reports the following findings: 

(1) the scheme can be broken by using only three chosen plain-images; 

(2) there exist some weak keys and equivalent keys; 

(3) the scheme is not sufficiently sensitive to the changes of plain-images; and 

(4) the compound chaotic sequence is not random enough to be used for 
encryption. 

This paper is organized as follows. In the next section the image encryption 
scheme under study is briefly introduced. Then, in Section [3l some security 
problems of the scheme are discussed. A differential chosen plain-image attack 
is introduced in Section H] with some experimental results reported. Finally, 
some conclusions are given in Section O 



2 The image encryption scheme under study 

Although not explicitly mentioned, the image encryption scheme was specifi- 
cally tailored to 24-bit RGB true-color images. However, the algorithm itself is 
actually independent of the plain-image's structure and can be used to encrypt 
any 2-D byte array. Therefore, in this cryptanalytic paper, it is assumed that 
the plain-image is an M x (width x height) 8-bit gray-scale image. In other 
words, to encrypt a 24-bit RGB true-color image, one only needs to consider 
the true-color image as a 3M x A^ 8-bit gray-scale image, and then perform 
the encryption procedure. 

Denoting the plain-image by I = {I(i,j)}i<i<M and the corresponding cipher- 

l<j<N 

image by I' = {I'{i,j)}i<i<M , the image encryption scheme proposed in [13] 

l<j<N 
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can be described as followQ 



» The secret key includes two floating-point numbers of precision 10~ xq, yo G 
[—1,1], which are the initial states of the following two chaotic maps: fo{x) = 
Sx"^ - 8a;^ + 1 and fi{y) = iy^ - 3y. 

» The initialization procedure includes generation of three pseudo-random in- 
teger sequences. 

'1) Pseudo-random sequence {Si{k)}^l^ for XOR substitution of pixel values 
Starting from ko = ki = 0, iterate the following compound chaotic map 
for MN times to construct a compound chaotic sequence {zk}k=l- 



Zko+ki+l 



Xko+1 = fo{Xko), if {Xko + l/fci) < 0, 

Vki+i = /i(i/fci), if (xfco + ykj> 0. 



For each iteration of Eq. ([T]), update ko with /cq + 1 if the first condition 
is satisfied, and update ki with ki + 1 otherwise. 

Then, an integer sequence {Si{k)}^J[ is obtained from {zk}^B[ as 



Siik) 



^■256 
255, 



if Zk e [-1,1), 
if Zk = 1, 



(2) 



where \_a\ denotes the greatest integer that is not greater than a. 
(2) Pseudo-random sequence {S2{j)}jLi /^'^ circular shift operations of rows 
Iterate /o from Xk^ for more times to obtain a chaotic sequence 
{xko+j}jLi, and then transform it into {S2{j)}jLi by 
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mJ, if e [-1,1) 



M 



if Xko- 



1. 



(3) Pseudo-random sequence {S3{i)}f£i for circular shift operations of columns 
Iterate /i from y^^ for M more times to obtain a chaotic sequence 
{yki+i}iii, and then transform it into {Ss{i)}fL-^ by 



SM) 




if yk^+i G [-1, 1), 
if yk,+i = 1. 



» The encryption procedure includes an XOR substitution part and two per- 
mutation parts. 
'1) XOR substitution part 



To make the presentation more concise and complete, some notations in the orig- 
inal paper are modified, and some missed details about the encryption procedure 
are supplied here. 
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Taking I as input, an intermediate image I* = {I*(i,j)}i<i<M is ob- 

l<j<iV 

tained as 

r(z,j) = /(z,j)©5i((j-l)-M + z), (3) 

where © denotes the bitwise XOR operation. 

(2) Permutation part - horizontal circular shift operations 

Taking I* as input, a new intermediate image I** = \I**(i, j)} i<i<M is 

l<j<iV 

obtained by performing the following horizontal circular shift operations ^ I: 

r*(^,J) = r((^-^2(J))modM,J). (4) 

(3) Permutation part - vertical circular shift operations 

Taking I** as input, the cipher-image I' is obtained by performing the 
following vertical circular shift operations: 

I'{z,j) = r*{z,{j-S3{i)) mod N). (5) 

Combining the above three operations, the encryption procedure can be 
represented in the following compact form: 

/'(z, j) = © S^iif - 1) • M + z*), (6) 

where j* = (j — 83(1)) mod and i* = {i — S2{j*)) mod M. 
• The decryption procedure is the reversion of the above (after finishing the 
same initialization process) and can be described as 

J(2, j) = J'(r, J*) © S^iU - 1) . M + 2), (7) 

where i* = {i + 5*2(7)) mod M and j* = {j + 5*3 (z*)) mod A^. 



3 Some security problems 

3.1 Insufficient randomness of the compound chaotic sequence 

In [13, Sec. 4.3], the authors claim that the randomness of the generated 
chaotic sequences has been verified by employing the four random tests defined 
in FIPS PUB 140-2 [14]. Here, it is noticed that what they actually refer to is 
an intermediate edition of FIPS PUB 140-2 (updated in October 2001), which 
has been superseded in December 2002, and as a result all the four random 

^ In [13], the authors did not explain in which direction the circular shift operations 
are performed. Since the direction is independent of the scheme's security, here it 
is assumed that the operations are carried out towards larger indices. The same 
assumption is made for vertical circular shift operations. 
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tests have been removed from the pubhcation (see Change Notices 1 and 2, 
pp. 54-58 in [16])[E 

Even for the four random tests defined in the intermediate edition of FTPS 
PUB 140-2, the randomness of the chaotic sequences is still questionable due 
to the following two facts: 

(1) Only the experimental result about one random sequence generated from 
the key (xq, yo) = (0.32145645647836, 0.48124356788345) is shown in [13]. 
However, to study the randomness of a random number resource, a suf- 
ficiently large number of samples should be tested. 

(2) The results of repeating the same test are shown in Table [U which does 
not agree with the data shown in Table 2 of [13]. 

Table 1 

Randomness test results of the chaotic compound sequence generated from the key 
(xo,yo) = (0.32145645647836,0.48124356788345). For runs tests, the two output 
values are the numbers of 0-bit and 1-bit runs, respectively. 



Test item 


Required interval 


Output value (s) 


Result 


Monobit test 


9725 - 10275 


9968 


Pass 


Runs test 


r = 1 


2315 - 2685 


2124, 2142 


Fail 


r = 2 


1114 - 1386 


962, 966 


Fail 


r = 3 


527 - 723 


537, 498 


Fail 


r = 4 


240 - 384 


266, 273 


Pass 


r = 5 


103 - 209 


153, 167 


Pass 


r > 6 


103 - 209 


301, 297 


Fail 


r > 26 


0-0 


3, 3 


Fail 


Poker test 


2.16 - 46.17 


799.37 


Fail 



To investigate the level of randomness of the chaotic compound sequence 
{zk}k=i generated by iterating Eq. ([T]), 100 binary sequences have been tested 
for the encryption of 256 x 256 images with the test suite proposed in [17]. 
The secret keys to generate the 100 binary sequences were chosen randomly. 
For each test, the default significance level 0.01 was adopted. The results are 
shown in Table [21 from which one can see that the compound chaotic function 
Eq. ([T]) cannot be used as a good random number generator. 



3 In [13], the authors cite [16] as the source of PIPS PUB 140-2. However, [16] 
only contains an introduction to PIPS PUB 140-1 (the first edition of FIPS PUB 
140) [15]. By comparing the required intervals shown in Table 2 of [13] with those 
published in different editions of FIPS PUB 140, we finally concluded that FIPS 
PUB 140-2 (Change 1) was the one used by the authors of [13]. 
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Table 2 

The performed tests with respect to a significance level 0.01 and the number of 
sequences passing each test in 100 randomly generated sequences. 



Name of Test 


Number of Passed Sequences 


Frequency 


91 


Block Frequency (m = 100) 





Cumulative Sums-Forward 


88 


Runs 





Rank 


67 


Non-overlapping Template (m = 9, B = 101001100) 


48 


Serial (m = 16) 





Approximate Entropy (m = 10) 





FFT 






3.2 Weak keys 



For the image encryption scheme under study, it is found that some keys will 
cause some or even all encryption parts to fail, due to the existence of some 
fixed points of the chaotic maps involved: /o(l) = 1, = 1, /i(0) = 0, 

1) = —1. Four typical classes of weak keys and the negative influences on 
the randomness of the chaotic sequences are listed below: 

(1) Xo = l: f{xo) = l^ S2{j) = M-l; 

(2) yo = 1: fi{yo) = 1, only fi{y) is iterated in Eq. ^ Si{k) = 255, 
S,{i) = N-l- 

(3) 2/o = -l:/i(yo) = -1^53«=0; 

(4) xo >0,yo = 0: /i(yo) = 0, only f,{y) is iterated in Eq. 1^ Si{k) = 128, 
Ssii) = N/2. 

By combining the above conditions, three extremely weak keys can be found 
from the above general ones: 

. Xo = l,yo = 1: Siik) = 255, S^U) = M - 1, S^it) = N - 1; 

• Xo=l,yo = -1: S,{k) = 0, S2{j) =M-1, S^it) = 0; 

• xo=l,yo = 0: S,{k) = 128, S^U) =M-1, S^it) = N/2. 

Furthermore, whenever (x^p, y^J satisfies one of the above-listed conditions in 
the process of iterating Eq. ([1]), the corresponding secret key {xo,yo) is also 
found to be weak. For instance, from /o(— 1) = /o(0) = 1, 0.5) = 1 and 
/i(0.5) = —1, the following examples can be derived easily: (1) Xq G {0, — 1}; 
(2) I/O = —0.5; (3) yo = 0.5. From these examples, one can further discover 
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some extremely weak keys as follows: 

. xo e {0, -1}, yo e {-0.5, 1}: S^ik) = 255, 32(3) = M - 1, S^it) = N - 1; 
m xo = 0, yo = 0.5: ^i(2) = 255, ^i(A;) = for /c ^ 2, ^2(7) = M - 1, 
S-sii) = 0; 

. Xo = 0, = -1 orxo = -1, yo G {-1,0.5}: Si{l) = 255, ^i(A;) = for 
k>2,S2i3) = M-l,Ssii)=0; 

• Xo = 0,yo = 0: ^i(A;) = 128, S2{j) = M-1, S^ii) = N/2; 

• Xo = -1, yo = 0: Si{l) = 255, Si{k) = 128 for k > 2, S2{j) = M - 1, 
S3{t) = N/2. 



3.3 Equivalent keys 



Equivalent keys mean some different keys that generate the same cipher-image 
for any given plain-image, i.e., they are completely equivalent to each other. 
From Fig. [1^) one can see that function fo may have four points whose func- 
tional values are the same: ±x, ±-\/l — x^. From Fig. [lb) one can see that 
function fi may have three points whose functional values are the same: y, 





a) b) 
Fig. 1. The images of functions fo{x) and fi{y) 

Since only the field of rational number is considered, one can see that (xq, yo) 
and (— Xci/o) are equivalent when I2/0I > |a;o|- 

3.4 Low sensitivity to plaintext changes 



In [13, Sec. 4.4] the authors claim that their scheme is sensitive to plaintext 
changes, which is, however, not true. From Eq. ([6]) one can easily see that 
changing one bit of I{i*,j*) influences the same bit of I'{i,j), only. Note 
that this low sensitivity is actually a common problem with all XOR-based 
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encryption systems. But it becomes trivial if the key is not repeatedly used. 
In this case, it is rare that two slightly different plaintexts are encrypted by 
the same keystream. 



3.5 A remark on the compound chaotic map 

In Section 2.2 of [13], the authors have provided some theoretical results about 
the compound chaotic map defined as follows: 



and claimed that "F(a;) can be employed as ideal sequence cipher". Unfor- 
tunately, as shown in Eq. ([1]), what they actually employed in the design of 
the image encryption scheme is a simple combination of two separately (but 
not independently) iterated chaotic maps /o and /i, which has nothing to do 
with the above compound chaotic map ([8]). This makes all the theoretical re- 
sults given in [13, Section 2.2] completely irrelevant to their image encryption 
scheme. 



4 Differential chosen-plaintext attack 

In [13, Sec. 4.6] the authors claim that their scheme can withstand chosen- 
plaintext attack efficiently. It is found, however, that their scheme can be 
broken with only three chosen plain-images. 

The proposed attack is based on the following fact: given two plain- images 
Ii, I2 and the corresponding cipher- images I'^, I2, one can easily verify that 



I'S,]) ® = h{i%3*) ® h{i*,J*), where f = (j - S^ii)) mod N and 



i* = {i — 5*2(7*)) mod M. This means that the XOR substitution operations 
disappear and only the permutations remain. According to the quantitative 
cryptanalysis given in [6], permutation-only ciphers are always insecure against 
plaintext attacks, and only [log256(MA^)] plain-images are required for a suc- 
cessful chosen-plaintext attack. Once the permutation part is broken, the XOR 
substitution can be cracked easily. This is a typical divide- and- conquer (DAC) 
attack that breaks different encryption components separately. 

Since the permutations in the image encryption scheme are a simple combina- 
tion of row-shift and M column-shift operations, the number of required dif- 
ferential plain-images will not be greater than 2, even when ("log255(MA^)] > 2. 
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This means that only 3 chosen plain-images suffice to implement the attack. 
In the sequel, the DAC attack is described step by step. 



Breaking {S3{i)}fli (i.e., vertical shift operations) 

If two plain-images Ii and I2 are chosen such that each row of Ii © I2 
contains identical pixel values, then the horizontal circular shift operations 
will be canceled and only vertical ones are left. If further Ii and I2 are chosen 
such that each column of Ii © I2 has an unambiguous pattern to recognize 
the value 6*3 (i), then the vertical shift operations are broken. For example, 
one can choose Ii and I2 as 

Ji(:,j)©/2(:,j) = r' (9) 

In this case, by looking for the new position of the sole black pixel in each 
column, one can immediately derive all values of {S3{i)}f£i. 
Breaking {S2{j)}jLi (i.e., horizontal shift operations) 

Once all vertical shift operations have been broken, one can use the same 
strategy to break the horizontal shift operations. For this purpose, one needs 
to choose Ii and a new plain-image I3 such that each column of Ii © I3 
contains identical pixel values and each row has an unambiguous pattern so 
as to recognize the value of 52 (j). For example, one can choose Ii and I3 as 



0, t = l, 
255, 2 <i<M. 



In this case, by looking for the new position of the sole black pixel in each 
row, one can immediately derive all values of {5'2(j)}jLi- 
Breaking {Si{i)}fii (i.e., XOR substitutions) 

After the values of {S2{j)}f=i and {S^{i)}fLi are obtained, the encryption 
scheme becomes a simple XOR-based stream cipher, and {Si{k)}^J[ can 
immediately be recovered via 



S,{{j-l)-M + t) = h{i,j)®I'S\f), 

where i* = {i + S2{j)) mod M and j* = (j - 6*3 (z*)) mod A^. 

To validate the performance of the above attack, some experiments have been 
carried out for some chosen plain-images of size 256 x 256. Here, the exper- 
imental results with the random secret key used in Section 13.11 are reported. 
One plain- image "Peppers" is chosen as Ii, and the second plain-image is 
chosen such that the differential image Ii © I2 is as shown in Eq. The 
third plain-image is chosen such that Ii © I3 = (Ii © 12)"^- These three chosen 
plain-images and the corresponding cipher-images are shown in Fig. [2l The 
recovered pseudo-random sequences are used to decrypt a new cipher-image 
I4, which is shown in Fig. and the result is given in Fig. [SJi). 
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Il b)l2 C)l3 d)ll 




e)i; f)I^ g)I'3 h)l4 

Fig. 2. The proposed differential chosen-plaintext attack: a demonstration 
5 Conclusion 



The security of a recently published image encryption scheme based on a 
compound chaotic sequence has been studied. It is found that the scheme can 
be broken with only three chosen plain-images. In addition, it is found that 
the scheme has some weak keys and equivalent keys, and that the scheme 
is not sufficiently sensitive to the changes of plain-images. Furthermore, the 
pseudo-random number sequence generated by iterating the compound chaotic 
function is found not to be sufficiently random for secure encryption. In sum- 
mary, the scheme under study is not secure enough. Therefore, it is not be 
recommended for applications requiring a high level of security. 
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